United States Patent and Trademark Ofhce 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark OtBce 

Address: COMMISSIONER FOR PATENTS 



APPLICATION NO. 



10/611,656 



FILING DATE 



06/30/2003 



FIRST X_AMED IXA'EXTQR 



PhiUp T. Mellinger 



20350 7590 06/08/2010 

TOWNSEND and TOWNSEND and crew, LLP 
TWO EMBARCADERO CENTER 
EIGHTH FLOOR 

SAN FRANCISCO, CA 941 1 1-3834 



ATTORNEY DOCKET NO. CONFIRMATION NO. 



020375-029210US 



PAPER NUMBER 



DELIVERY MODE 



Please find below and/or attached an Office communication concerning this application or proceeding. 

The time period for reply, if any, is set in the attached communication. 



PTOL-90A (Rev. 04/07) 



KJtSiVrXS nvrliyjts OUff Iff fcff Jr 


Application No. 

10/611,656 


Applicant(s) 

MELLINGERET AL. 


Examiner 
SYED ZIA 


Art Unit 
2431 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address — 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
eamed patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )^ Responsive to communication(s) filed on 18 February 2010 . 
2a )□ This action is FINAL. 2b)|3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Clalm(s) 1-24 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) \Z\ Claim(s) is/are allowed. 

6) |EI Claim(s) 1.3-14 and 16-24 is/are rejected. 

7) ^ Claim(s) 2 and 1 5 is/are objected to. 

8) 0 Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification is objected to by the Examiner. 

10)0 The drawing(s) filed on is/are: a)^ accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held In abeyance. See 37 CFR 1.85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 !)□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)0 Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)n All b)n Some * c)^ None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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'TOL-326 (Rev. 08-06) Office Action Summary Part of Paper No./Mail Date 20100601 



Application/ Control Number: 10/611,656 
Art Unit: 2431 



Page 2 



DETAILED ACTION 



This office action is in response to amendments and remarks filed on February 18, 2010. 
Claims 1-24 are pending. 

Response to Arguments 

Applicant's arguments with respect to claims 1-24 have been considered but are moot in 
view of the new ground(s) of rejection. 



Allowable Subject Matter 
Claims 2 and 15 are objected to as being dependent upon a rejected base claim, but would 
be allowable if rewritten in independent form including all of the limitations of the base claim 
and any intervening claims. 



Claim Rejections - 35 USC § 101 
1. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useM process, machine, manufacture, or composition of matter, or 
any new and useM improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 
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2. Claims 21-24 are rejected under 35 U.S.C. 101 because the claimed invention is directed 

to non- statutory subject matter. 

3. Claims 21-24 are rejected under 35 USC 101 since the claims are directed to non- 
statutory subject matter. Claims 21-24 are directed towards a service implemented in a computer- 
accessible and readable storage medium which appears to cover both transitory and non- 
transitory embodiments. The specification merely recites the term "computer-accessible and 
readable, storage medium", but no specific definition is provided to define this claimed term. 
The United States Patent and Trademark Office (USPTO) is required to give claims their 
broadest reasonable interpretation consistent with the specification during proceedings before the 
USPTO. See In re Zletz, 893 F.2d 319 (Fed. Cir. 1989) (during patent examination the pending 
claims must be interpreted as broadly as their terms reasonably allow). The broadest reasonable 
interpretation of a claim drawn to a computer readable medium (also called machine readable 
medium and other such variations) typically covers forms of non-transitory tangible media and 
transitory propagating signals per se in view of the ordinary and customary meaning of computer 
readable media,. See MPEP 2111.01. When the broadest reasonable interpretation of a claim 
covers a signal per se, the claim must be rejected under 35 U.S.C. §101 as covering non- 
statutory subject matter. See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory 
embodiments are not directed to statutory subject matter) and Interim Examination Instructions 
for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 1 01, Aug. 24, 2009; p. 2. 

4. The Examiner suggests that the Applicant add the limitation " non-transitory machine- 
accessible and readable medium "to the claim(s) in order to properly render the claims in 
statutory form in view of their broadest reasonable interpretation in light of the originally filed 
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specification. The examiner also suggests that the specification be amended to include the term 
"non-transitory machine-accessible or readable storage medium" to avoid a potential objection to 
the specification for a lack of antecedent basis of the claimed terminology." 



Claim Rejections - 35 USC §102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, pubhshed under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the Enghsh language. 

2. Claims 1, 3-14, 16-24 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Lineman et al. (U. S. Publication No.: 2003/0065942). 

3. Regarding Claim 1, Lineman teaches and describes a method for implementing a security 
risk assessment for a merchant entity having connectivity to a shared network, the method 
comprising: receiving at a host computer system including a processor , from each of a plurality 
of payment-processing organizations, a set of security requirements defining protocols for 
implementing commercial fransactions over the shared network using instruments identified with 
the payment-processing organization; developing , with the processor at the computer system a 
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security test scheme having a set of test requirements whose satisfaction by the merchant entity 
is sufficient to ensure compliance with the sets of security requirements defined by each of the 
plurality of payment-processing organizations; and performing a remote scan of a network site 
maintained by the merchant entity on the shared network in support of shared-network 
commercial transactions with a security compliance authority server by the computer system, the 
remote scan implementing at least a subset of the set of test requirements to evaluate compliance 
by the merchant entity ([0036-0039, and 0078-0096]). 

4. Regarding Claim 12, Lineman teaches and describes a method for assessing a security 
risk for a merchant entity having connectivity to a shared network, the method comprising: 
receiving, a host computer system including a processor information describing characteristics of 
the merchant entity fi-om the merchant entity; determining a host computer system including the 
processor which test requirements of a security test scheme to use in assessing the security risk 
for the merchant entity, wherein the seciirity test scheme includes a set of test requirements 
whose satisfaction by the merchant entity is sufficient to ensure compliance with a plurality of 
sets of security requirements defined by a plurality of payment-processing organizations; and 
executing the security test scheme with a security compUance authority server in accordance 
with the determined test requirements ([0036-0039, and 0078-0096]). 

5. Regarding Claim 21, Lineman teaches and describes a computer-readable storage 
medium having a computer-readable program embodied therein for direction operation of a 
security compliance authority server including a communications system, a processor, and a 
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storage device, wherein the computer-readable program includes instructions for operating the 
security compliance authority server to assess a security risk for an merchant entity having 
connectivity to a shared network in accordance with the following: receiving, with the 
communications system, information describing characteristics of the merchant entity; 
determining, with the processor, which test requirements of a security test scheme to use in 
assessing the security risk for the merchant entity, wherein the security test scheme is stored on 
the storage device and includes a set of test requirements whose satisfaction by the merchant 
entity is sufficient to ensure compliance with a plurality of sets of security requirements defined 
by a plurality of payment-processing organizations; and executing, with the processor, the 
security test scheme in accordance with the determined test requirements ([0036-0039, and 0078- 
0096]). 



6. Claims 3-11, 13, 16-20, and 22-24 are rejected applied as above rejecting Claims 1, 12, 
and 21 . Furthermore, Lineman teach and describe a method and apparatus for establishing a 
security policy wherein: 

As per Claim 3, fiirther comprising scheduling an on-site audit at the merchant entity 
with the security compUance authority server, the on-site audit being structured to follow a 
prescribed methodology for identifying a level of compliance with at least some of the test 
requirements ([0084-0088]). 

As per Claim 4, a satisfaction level of the test requirements required for compliance with 
the test requirements is dependent on a characteristic of the merchant entity ([0087-0091]). 
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As per Claim 5, the characteristic comprises a shared-network transaction volume 
processed by the merchant entity over the shared network ([0090]). 

As per Claim 6, a frequency of perft)rming the remote scan is dependent on a 
characteristic of the merchant entity ([0093-0094]). 

As per Claim 7, the characteristic comprises a shared-network fransaction volume 
processed by the merchant entity over the shared network ([0090]). 

As per Claim 8, fiirther comprising receiving information describing characteristics of the 
merchant entity from the merchant entity at trhe host computer system to limit parameters of the 
remote scan ([0092-0094]). 

As per Claim 9, further comprising generating a report at the host computer system 
summarizing a level of compliance by the merchant entity with the set of test requirements as 
determined from performing the remote scan ([0083-0096]). 

As per Claim 10, the merchant entity comprises an Internet merchant ([0025-0029]). 

As per Claim 11, the merchant entity comprises an Internet merchant gateway ([0025- 

0029]). 

As per Claim 13, executing the security test scheme comprises performing a remote scan 
of a network site maintained by the merchant entity on the shared network in support of shared- 
network commercial transactions with the security compliance authority server ([0078-0088]). 

As per Claim 14, executing the security test scheme comprises scheduling an on-site 
audit at the merchant entity with the security compliance authority server, the on-site audit being 
structured to follow a prescribed methodology for identifying a level of compliance with at least 
some of the test requirements ([0078-0088]). 
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As per Claim 16, determining which test requirements of the security test scheme to use 
in assessing the security risk for the merchant entity is dependent on a characteristic of the 
merchant entity ([0087-0091]). 

As per Claim 17, the characteristic comprises a shared-network transaction volume 
processed by the merchant entity over the shared network ([0088-0090]). 

As per Claim 18, further comprising generating a report at the host computer system 
summarizing a level of compliance by the merchant entity with the set of determined test 
requirements as evaluated from executing the security test scheme ([0072-0091]). 

As per Claim 19, the merchant entity comprises an Internet merchant ([0025-0029]). 

As per Claim 20, the merchant entity comprises an Internet merchant gateway ([0025- 

0029]). 

As per Claim 22, the instructions for executing the security test scheme comprise 
instructions for performing a remote scan of a network site maintained by the merchant entity on 
the shared network in support of shared-network commercial transactions ([0072-0091]). 

As per Claim 23, the instructions for executing the security test scheme comprise 
instructions for scheduling an on-site audit at the merchant entity ([0072-0091]). 

As per Claim 24, the instructions for executing the security test scheme comprise 
instructions for transmitting a questioimaire to the merchant entity ([0072-0091]). 
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Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SYED ZIA whose telephone number is (571)272-3798. The 
examiner can normally be reached on 9:00 to 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an apphcation may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

sz 

May 27, 2010 
/Syed Zia/ 

Primary Examiner, Art Unit 243 1 



